// back

Multiple Vulnerabilities at Canada.com websites

09.05.02

BACKGROUND

CanWest Interactive operates Canada.com, Canada's full service portal for personalized information and services including travel, autos, careers, finance, free e-mail, news, shopping, sports, a business and people directory, and more. It has an average of 103 million page impressions and over 2 million unique users per month.

DESCRIPTION

Exploiting any of three vulnerabilities at Canada.com websites exist could enable an attacker to access the e-mail account or financial portfolio of a targeted Canada.com user.

Cross Site Scripting at http://finance.canada.com

Canada.com's finance site, located at http://finance.canada.com allows users to track financial portfolios. Users enter individual stock symbols along with the quantity of shares purchased, date purchased and commission paid. The site will then track the gains and losses for the portfolio.

The finance site uses session cookies to maintain state. The cookie expires when the user either closes the browser window or logs out of the site. A cross- site scripting (XSS) vulnerability exists that would allow an attacker to access the session cookies of an authenticated user. It is important to note that because session cookies are used,
the victim would need to be logged into his portfolio at the time of the attack.

The following URL provides a proof of concept for the attack. If an authenticated user were to click on the URL, their session cookies would be displayed in an alert window:

http://finance.canada.com/bin/quote/?Symbol=%22%3C/font>
< script >alert(document.cookie)< /script >&x=35&y=9

Weak Session IDs at http://finance.canada.com

While the aforementioned vulnerability details how an attacker can steal session cookies via an XSS attack, this is not necessary if the attacker knows the username of the victim. The finance site uses the following session cookie to maintain state for a logged in user:

CBUSER=[username]:canada; expires=; path=/;
domain=finance.canada.com

Simply by accessing the finance page using this cookie with an established username in the CBUSER field, it is possible to view and edit the financial portfolio set up by a legitimate user. The user does not need to be logged in at the time of the attack.

Cross Site Scripting at http://mail.canada.com

Like many web portals, Canada.com offers free e-mail accounts. Canada.com users can read and send e-mail messages via a web browser by accessing the http://mail.canada.com web site.

A cross-site scripting (XSS) vulnerability exists that would allow an attacker to access the session cookies of an authenticated user. It is important to note that because session cookies are used, the victim would need to be logged into his e-mail account at the time of the attack.

The following web page provides a proof of concept for the attack. If an authenticated user were to view the web page, their session cookies would be displayed in an alert window:

<html>
<head>
</head>
<body ONLOAD="document.forms(0).submit()">
<form method=post
action="http://mail.canada.com/mail/mailbox">
<input type=hidden name="create_name"
value="<script>alert(document.cookie)</script>">
<input type=hidden name="submitted" value="true">
</form>
</body>
</html>

ANALYSIS

The XSS exploits provide a proof of concept, but could easily be modified to redirect the captured session IDs to a web server controlled by the attacker. Once the attacker obtained the session IDs they could then hijack the victim's session and access either their financial portfolio or email account. Both attacks require an element of social engineering, as the victim would need to click on the URL or view the web page. This could be accomplished by sending the URL or web page to the user via e-mail. The weak session IDs used by the finance site make it trivial for an attacker to access financial portfolios
established by legitimate users.

The financial portfolios are not linked to brokerages and an attacker would not therefore be able to cause financial harm to the victim. However, this does present a privacy risk due to the fact that many people use this site to track established portfolios. An attacker could therefore use this attack to gain detailed financial information.

By using the XSS attack for the mail site, an attacker could access the e-mail account of a legitimate user. Once the account is accessed, the attacker could view the victim's e-mail messages or send messages from their account. This attack presents privacy and non- repudiation risks.

DETECTION

All users that have established financial portfolios or e-mail accounts at Canada.com are vulnerable.

WORKAROUND

No workaround is available as of this writing.

VENDOR RESPONSE

Numerous attempts were made to contact the web site administrator(s) to inform them of the vulnerabilities, however no response has been received as of this writing.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project did not assign identification numbers for these issues.

DISCLOSURE TIMELINE

08/21/2002 Initial administrator contact attempted
08/26/2002 Second attempt at administrator contact
08/26/2002 iDEFENSE clients notified
08/21/2002 Announcement made to vendor-sec@lst.de
09/05/2002 iDEFENSE releases public advisory

CREDIT

Michael Sutton (msutton@idefense.com) is credited with discovering these vulnerabilities.